Alert triggers
Alert triggers run workflows automatically when detection or alerting rules generate an alert. Use alert triggers for alert enrichment, automated incident response, case creation, or notification routing.
When a rule generates an alert that triggers your workflow, the trigger provides rich context data to the workflow through the event field.
To set up an alert trigger, follow these steps:
-
Define an alert trigger
Create a workflow with an alert trigger:
name: Security Alert Response description: Enriches and triages security alerts enabled: true triggers: - type: alert steps: .... -
Configure the alert rule
After creating your workflow, configure your alert rule to trigger it.
- Go to Rules in Stack Management or use the global search field.
- Find or create the alerting rule you want to trigger the workflow.
- In the rule settings, under Actions, select Add action.
- Select Workflows.
- Select your workflow from the dropdown or create a new one. You can only select enabled workflows.
- Under Action frequency, choose whether to run separate workflows for each generated alert.
- (Optional) Add multiple workflows by selecting Add action again.
- Create or save the rule.
- Go to Detection rules (SIEM) in the navigation menu or use the global search field.
- Find or create the detection rule you want to trigger the workflow.
- In the rule settings, under Actions, select Workflows.
- Select your workflow from the dropdown or create a new one. You can only select enabled workflows.
- Under Action frequency, choose whether to run separate workflows for each generated alert.
- (Optional) Add multiple workflows by selecting Add action.
- Create or save the rule.
When the configured rule generates an alert, your workflow automatically executes with the alert context.